[Infrastructures] sarbanes-oxley

Eric Sorenson eric@explosive.net
Tue, 15 Mar 2005 12:14:07 -0800 (PST) 

On Tue, 15 Mar 2005, Steve Traugott wrote:

> On Sat, Mar 12, 2005 at 11:26:16AM -0500, David Magda wrote:
> > On Mar 10, 2005, at 17:50, Steve Traugott wrote:
> > >My own thoughts include an opinion that Sarbanes-Oxley sections 404 and
> > >802 are likely to make NFS even less appealing by comparison.
> > 
> > Are there any decent documents that give a decent summary of S-O? It 
> > seems to be a fairly large concern, but since some of us are not in the 
> > US we may not be up on all of this.
> 
> An accurate summary is hard to define because the legislation is new,
> with implications more complex than the law itself, most of which are
> not fully understood by anyone, because it's anyone's guess how auditors
> and courts are going to interpret much of it.  Google for it -- there's
> a copy of the act at http://www.law.uc.edu/CCL/SOact/toc.html, and lots
> of pundit interpretations everywhere, many of which disagree with each
> other.

For this pundit's interpretation, from having done a crapload of SOX
work (and a successful audit, I might add), read the posts here:
        http://eric.explosive.net/policy/index.html

The most important thing to keep in mind is this: the scope of SOX 
controls is within your power to define. Everything that is directly 
related to company financials is within scope, any IT functions which 
are directly and solely in support of financial functions are within 
scope, and the rest of your infrastructure is a gray area that is open 
to interpretation.  For example, we were able to argue that since 
there were adequate access controls in place to prevent non-finance 
people from accessing finance-related data, mandatory password change 
controls should not be applied to engineering staff. The relative 
strength or age of their passwords were immaterial to SOX scope 
because their user account had no access to the relevant data.  

Be really, really cautious about vendors selling SOX-related products, 
consultants insisting that you implement sweeping changes across the 
enterprise, and people (myself included!) spreading FUD about what you 
as a sysadmin should or should not be doing for compliance. 

-- 
 - Eric Sorenson - N37 17.255 W121 55.738 - http://eric.explosive.net -
 - Personal colo with a professional touch - http://www.explosive.net -